From dd2ca60acb2317d0e2fc46d135373226ee460eaa Mon Sep 17 00:00:00 2001 From: YOSHIOKA Takuma Date: Sun, 1 Sep 2019 21:18:11 +0900 Subject: [PATCH] Add advisory for string-interner --- crates/string-interner/RUSTSEC-0000-0000.toml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 crates/string-interner/RUSTSEC-0000-0000.toml diff --git a/crates/string-interner/RUSTSEC-0000-0000.toml b/crates/string-interner/RUSTSEC-0000-0000.toml new file mode 100644 index 0000000..9623726 --- /dev/null +++ b/crates/string-interner/RUSTSEC-0000-0000.toml @@ -0,0 +1,20 @@ +[advisory] +id = "RUSTSEC-0000-0000" +package = "string-interner" +date = "2019-08-24" +title = "Cloned interners may read already dropped strings" +description = """ +Affected versions of this crate did not clone contained strings when an interner is cloned. +Interners have raw pointers to the contained strings, and they keep pointing the strings which the old interner owns, after the interner is cloned. +If a new cloned interner is alive and the old original interner is dead, the new interner has dangling pointers to the old interner's storage, which is already dropped. + +This allows an attacker to read the already freed memory. +The dangling pointers are used by the interners to check a string is already interned. +An attacker can do brute force attack to get the data pointed by the dangling pointer. + +The flaw was corrected by . +This patch implements `Clone` manually to the interner type, so that the internal raw pointers always point the strings owned by the same interner. +""" +patched_versions = [">= 0.7.1"] +url = "https://github.com/Robbepop/string-interner/issues/9" +keywords = ["use after free"]